Jim Laurent's Weblog

Oracle recently updated their FAQ document on the acquisition of Sun Microsystems  (JAVA on NASDAQ currently trading at $8.20 against a $9.50 purchase price by Oracle).  There is a lot of encouraging news about OpenOffice, Glassfish, MySQL, Solaris and SPARC.

For the highlights, see this blog entry (he beat me to it) or read the entire FAQ.

As a Solaris fanatic, I'm very excited about their statements such as:

Oracle plans to spend more money developing Solaris than Sun does now. The industry leading capabilities of the Solaris operating system make it the leader in performance, scalability, reliability, and security – all of which are core requirements for our customers. Oracle plans to enhance our investment in Solaris to push core technologies to the next level as quickly as possible.

We expect that our customers will see the management of their environments that run both Linux and Solaris simplified. Additionally, customers using both Solaris and Linux will be able to rely on one vendor, Oracle, for the support of their entire stack – applications to disk.

Oracle and Sun’s management software are highly complementary. Oracle Enterprise Manager provides comprehensive solutions for managing the full Oracle stack including applications, middleware, database, Linux, and virtualization. Sun Ops Center provides a comprehensive solution for managing Sun servers and their firmware; Solaris, Linux and Windows operating systems; and virtualization technologies such as Solaris Containers and Logical Domains. Oracle Enterprise Manager and Sun Ops Center are expected to combine and deliver to customers the most complete top-down application and systems management environment from applications to hardware.

I know that my federal government customers will be excited to see that Oracle is behind Sun's open source strategy particularly in light of the recent DoD statement about open source.

This memo from the DoD Deputy CIO states:

In almost all cases, OSS meets the definition of “commercial computer software”
and shall be given appropriate statutory preference in accordance with 10 USC 2377
(reference (b)) (see also FAR 2.101(b), 12.000, 12.101 (reference (c)); and DFARS
212.212, and 252.227-7014(a)(1) (reference (d))).

In addition, it notes that:

The use of any software without appropriate maintenance and support presents an
information assurance risk.

Which means that government users of open source products should pay for support to the appropriate vendor.

 The memo also calls out a number of benefits of open source including rapid prototyping, lower costs, security, reliability and avoiding vendor lock-in.

I recently had the opportunity to speak at FOSE about cloud computing.  I was also stationed at Sun's table in the Cloud section of the exhibit hall and had an unbelievable number of people come up and ask me what I thought cloud computing is.  Sometimes I think they were just polling all the vendors to see how many different answers they could get.  Needless to say, there are a wide variety of opinions as to the meaning of a cloud and the best use of a computing cloud.

While traveling to Anaheim last week for the DISA customer conference, I spent a good amount of time in LAX.  It occurred to me while I was sitting there that the airport is a perfect analogy to a cloud.  It just happens to be a transportation cloud.

What is an airport?

An airport is a shared transportation resource run by a single organization serving a variety of vendors and customers.

How is an airport like a cloud.... Let me count the ways.

1. Shared common security model that keeps vendors and customers in the right place at the right time.
2. Shared infrastructure that can be virtualized to a variety of vendors depending upon their needs including:
1. Runways
2. Gates
3. Ticket issuing stations
4. Baggage handling
   
5. Security stations
6. Customs inspectors
7. Shopping
   
3. Air traffic control to ensure that planes don't crash in the air
4. Ground traffic control to ensure that planes go to gates they've paid for
5. A single manager for the shared service (the local airport authority)

Why did airports become clouds?

Imagine if each airline actually had to have it's own airport in each city.  A Delta plane could only fly from one Delta airport to another.  Each would need their own runways, parking lots, security guards and more.  It would clearly be an unsustainable model.

Benefits of the transportation cloud

Clearly the airlines saw the benefits of sharing an infrastructure in a number of ways including:

• Reduced costs (less real estate, infrastructure and personnel)
  
• Reduce training through standardization of tools and process
• Improved efficiency
• Less waste (fewer unused resources such as ticket agents, gates, security guards)
  
• The ability to scale an airline up or down as economic factors required and pay for only the resources used.
  

The idea of a cloud is not so new after all and has been around for years in different forms.  It's up to us in the computer industry to take these existing models with manual processes and automate them in a way that provides the same security and flexibility as we find in an airport today.

One of the unique things about the "transportation cloud" is that planes can easily leave one cloud (the LAX cloud) and travel to another cloud (the DCA cloud)  because of agreed upon standards in flight number, communications protocols and a standardization body (the FAA).  Sun is building a cloud infrastructure just as Google, Microsoft, Amazon and other have.  Sun, however, is also focusing on open, interoperable standards for cloud computing so that sometime the future, it will be easy to move an application not just within the Sun cloud from from the Sun cloud to the Amazon  cloud and back again.

Join the community and start to experience the benefits of the cloud.  Learn more and stay up to date on the status of Sun's cloud computing offering.

Hopefully, I'll see you sometime soon in the clouds.

Important note

This blog is my opinion only (actually just random musings) and does not represent official Sun policy.  I have no inside knowledge of Oracle or Sun's intentions or plans for the upcoming acquisition of Sun by Oracle

There are a whole host of reasons that Oracle bought Sun, some of which have already been clearly stated by Oracle management. They include Java, MySQL, Sparc, Servers, Storage and Solaris. Listen to the webcast to hear it from Larry Ellison, Safra Catz as well as other Oracle and Sun leaders.  Also, please review the FAQ regarding the acquistion.

I think that there are some specific things that Oracle will love to gain in this acquisition.

Star/Openoffice

As the second largest software company in the world, there is at least one thing that Oracle has NOT had yet that their primary competitor has and that is an office automation suite used by students, grandmas,  and enterprises worldwide.  The ability to have your name in front of millions of users is a powerful tool particularly when they can download it for free and run it on Windows, MacOS, Linux distros and Solaris.  I think we know that Larry is not a great friend of Microsoft and this will give him one more thing to poke in their eye.

xVM VirtualBox

This free and powerful virtualization tool provides an ideal platform to allow customers to test, develop and deploy Oracle software solutions on a variety of platforms in the comfort of a user's own laptop.  Its upcoming ability to upload a virtual machine to the "cloud" will provide a low cost way for Oracle to accelerate adoption of their hosted application services.

JavaFX

The upcoming land grab for rich internet applications (RIAs) will be a fierce competition between Microsoft, Adobe and Oracle with Sun's JavaFX.  JavaFX provides an advanced tool with proven security and programming model to deploy RIAs on billions of devices over the network.  Its open source status will ensure a broad developer acceptance and diverse contributions from industry, academia and government.  In the fight for "eyeballs" JavaFX will provide Oracle with a significant competitive advantage in function as well as wide device support.

Sun Federal

Sun Federal has a broad reach and it an important strategic part of Sun Microsystems.  Our staff works closely with DoD, Intelligence and Civilian agencies to deploy mission critical applications using a complete systems approach of servers, storage, software and services.  With the anticipated new requirements for government IT efficiencies, Sun Federal will be a real asset to Oracle.

GlassFish

This free, open source application server is fast and easy to download and get started.  I can provide a low (no) cost way for new businesses to get started in enterprise datacenters, college dorm rooms or Amazon EC2 appliances.  Owning Glassfish will give Oracle access to a whole class of customer that normally might not consider their enterprise software.

The Sun Modular Datacenter

What better way to deliver a soup to nuts enterprise application service in a can?  Enough said!

Sun Ray thin clients

As far back as 1996, Larry Ellison has been talking about a low cost, network computer that draws services from a virtualized desktop environment. Sun introduced the Sun Ray ultra-thin client in 1999, and I can personally vouch for the fact that some of those early revision network appliances are still working on desks in our Sun Federal headquarters in McLean, VA.  The savings in energy, noise, real estate and refresh costs certainly must have helped Sun's bottom line along the way.  We have deployed many tens of thounsands Sun Rays in commercial industry and government over the years.  I feel certain that Oracle will expand the usefulness and applicability of the Sun Ray.

---

I have only touched the surface of advanced research, development, services and products from which Oracle will benefit.  Both Sun and Oracle have always believed that the customer wants true innovation from their IT vendors.  This is what Sun strives for at all times.

I leave you with a quote from a developer I met at the DISA customer conference this week.

"I love Java.  I wrote my thesis on Java.  I think this merger of Oracle and Sun is a match made in heaven."

What do you think?  Please offer your comments!

To see what Jonathan, Mike Lehman, Peter Ryan, Dave Douglas an others are telling the analyst community, see the webcasts at:

http://www.sun.com/events/sas/index.jsp

With the release of Virtual Box 2.0, I'm happy to report that VB for Mac now supports "host networking." What does this mean to you?  In the 1.x version of VB for Mac, only NAT support was included which made it extremely difficult for your Solaris OS within VB to actually act as a server on the network.  With the new host networking, the Solaris VM can now assign itself an IP address on your network.

With this in mind, I set about to reproduce the steps I detailed earlier this year for creating a Sun Ray thin client server on my Mac.  After configuring a new Solaris 10 VM with 1 GB of RAM, 8 GB of disk and host network, I installed the Sun Ray server software (using my handy instructions previously posted),  and it worked with no problem.

In case you haven't heard of it, Virtual Box is:

• a type 2 hypervisor
• Free
• one of Sun's many Open Source projects
  
• supported on a variety of host OSes (Windows, Linux, Macintosh and OpenSolaris)
• capable of running a variety of guest OSes
• now owned and being developed by Sun Microsystems as part of the open source xVM family of virtualization products

Happy Birthday to OpenSolaris!  It's now two years old.  See this great blog entry by Jim Grisanzio on how far the project and community have come.

 

 

Sun has a number of great upcoming events surrounding the open source development model and benefits that customers, system integrators and end users can derive from open source products. 

Sun is the leading commercial provider of open source technology in the world today.  Unlike many of our competitors (Microsoft, HP, IBM and Apple come to mind) Sun has completely open sourced a wide variety of our most strategic technologies including:

• The world leading Solaris 10 OS including the recently released Trusted Extensions
  
• Our low cost StarOffice suite of desktop tools which uses the OpenDocument file format.
  
• Java (under the GPL license) and many components of the Java Enterprise System
• NetBeans, one of the major software integrated development environments.
• Our innovative and power saving UltraSPARC T1 microprocessor
• Sun GridEngine, a powerful high performance computing Grid mangement tool
  
• And many more that can be found at sunsource.net
  

As a Sun Federal employee who works closely with the US DoD, I can tell you that the DoD believes strongly in an open source development model.   In a paper written by the Office of the Secretary of Defense, they list three of their primary goals to be:

1. Leverage open source infrastructure and technologies
2. Apply open source collaborative technologies
3. Change the default acquisitions and development behavior to default to technology services vs. products

They also make note of OpenSolaris and quote Scott McNealy as saying:

You learn to share in preschool. Later you learn that if you make the pie
bigger, everyone gets a little more. These lessons came together
when we started Sun. We didn't have the resources to do
everything ourselves, so we shared what we had to attract
customers and get their help in building the business. There are
now 4.5 million Java developers and about 950 companies
worldwide all collaborating on a technology Sun shared with the
community.

This is possible because sharing creates communities, which create
new markets. It's also changing business models: Companies can
no longer expect to lock in customers with proprietary standards.
They must now compete on the value of their business execution.
They monetize that value a little bit, spread over the entire
community. With 1 billion people on the network today, and several
million more joining every week, there's a lot of opportunity. So
while it may seem counterintuitive for a company to share, it's the
key to larger economic growth ― not only for Sun, but also for
everyone in the world.”

As an example, the US Joint Forces Command (JFCOM) has started a project based upon OpenOffice (the baseline for Sun's StarOffice product).   Using OpenOffice as a base, they are building a "Security Enhanced Office Automation suite."  Apparently they are unwilling or unable to do this using Microsoft's "Shared Source" agreement.

Some of JFCOM's stated benefits from using open source include: 

• Increased Flexibility– If you don’t like what the vendor or community is doing with the product you can change it
• Increased Security
• Ability to inspect and change (if necessary) the source
• Ability to verify that the executing version is the one actually derived from the source code.
• Potentially reduced procurement and maintenance costs
• Increased ability to reuse code
• Increased ability to share technology with Coalition partners
• Cost Sharing - Leverage the large open source community to help develop, test and improve your applications

My customer, Defense Information Systems Agency (DISA), is moving toward adopting Solaris 10 in their mission critical Command and Control applications as well as their data processing centers.  The fact that it is based upon the OpenSolaris project is viewed as postive by them.

If you would like to learn more about Sun's efforts in the open source communities, please visit OpenYourMindToday.com and sign up for the next two events:

•  Seminar: "Open Your Mind to Open Source"
     Keynote: Scott McNealy, Chairman, Sun Microsystems, Inc
     Date: January 23, 2007, Tysons Corner, Virginia
  


• Online Web Seminar: "Open Your Mind to Open Source"
     Date: January 30, 2007

Why should you care?

Using open source technologies can provide faster time to market, lower cost and reduced risk of vendor lock-in.  Sun's product portfolio is based largely on open sourced technologies.

 

Sun Microsystems Named Best Server, Best High-Performance Server and Java IDE Innovator by InfoWorld in Its 2007 Technology of the Year Awards

 Sun Microsystems, Inc. the creator of Java technology and Solaris, today highlighted three industry leading products -- Sun Fire X4200, Sun Fire X4600 and NetBeans Integrated Development Environment 5.5 -- as recipients of Technology of the Year Awards by InfoWorld. Garnering top honors from the InfoWorld Test Center, Sun is honored with prestigious titles: Best Server, Best High-Performance Server and Java IDE Innovator.

 The X4200 and X4600 support the operations of the open source Solaris 10 OS as well as Microsoft Windows 2003 server, Red Hat and Suse.  Netbeans runs on a variety of platforms including Solaris, Windows, Linux and MacOS.

 Click the link above for the entire article.

 

As a longtime Mac user (and someone who is 100% Microsoft free at home and work) it's important to me to be able to have a common user interface as I move from home to work.  When Sun first introduced Gnome in Solaris this caused a problem because the look and feel was too much like windows for my taste and after years of MacOS and CDE usage it was really annoying to close a window in the upper right corner instead of upper left where God and Steve Jobs  intended the close box to be.

I use this setup on my Solaris 10 based Sun Ray ultra-thin client at the office as well as my Acer Ferrari 3400 laptop.

Thanks to some Gnome theme hackers, I can now have a MacOS look and feel with window widgets where they belong.  Get the theme and icons at: http://www.gnome-look.org/content/show.php?content=13548

Don't forget the most important step:

• start gconf by typing: gconf-editor and hitting enter.
• This program is a bit like the registry editor for windows.
• In the tree on the left you need to go to /apps/metacity/general/
• There is then a key in the right pane called "button_layout"
• edit this key so that it reads:
• close,minimize,maximize
  

Why should you care?

If you are a MacOS and Solaris user, this will maximize your productivity by providing a more familiar user interaction.  I also enjoy the confused looks I get when I open up my hot, red Ferrari laptop, boot Solaris and login to a Mac like desktop. 

I have it on good authority (from Sun Federal COO Bill Vass) that Solaris 10 03/05  has completed its Common Criteria evaluation.  It will take us a while to issue a formal press release, but the evaluation is complete.  This evaluation was at EAL 4+ using the Controlled Access Protection Profile (CAPP) and the Role Based Access Control PP.  The process has taken over a year and cost a significant bundle of cash.  Solaris 10 with Solaris Trusted Extensions (found in the 11/06 update) is current under evaluation with the addition of the Labeled Security PP and should complete next year.

Congratulations and thanks to Sun's evaluation team including Jane Medefesser, Vanessa Kong, and Linda Gallops.

A little history.....

A long, long time ago (back in the 1980s) the NSA created a program known as the Trusted Computer System Evaluation Criteria (TCSEC). As an employee of Gould Computer Systems (RIP!) at that time, I know that Gould's UTX-32 OS was the first commercial Unix to receive a TCSEC C2 evaluation by the NSA.  Gould sold about 5 copies of that OS after spending millions of dollars to complete the process.  The UK had an equivalent program known as ITSEC. The TCSEC labeled OSes using a letter/number scheme still referred to by some today:

• C2 is roughly equivalent to today's CAPP
• B1 is roughly equivalent to today's LSPP
  

There were two major problems with the NSA system.

1. The process took so long and cost so much that an evaluated product was no longer competitive and didn't run on the latest hardware.
2. An evaluation completed by the NSA meant nothing to the UK, Germany, or other countries who had their own evaluation schemes.
   

As a result, the Common Criteria process was established and a number of countries agreed to abide by it.

What is a CC Evaluation?

 The Common Criteria is an international set of standards for evaluating software products against a set of  requirements.  There are two parts to a CC designation; Evaluation Assurance Level and Protection Profile (more info)

 Evaluation Assurance Level

The EAL designates the level of rigor that was applied to an evaluation.  Levels range from 1-7 and are defined as:

• EAL1 - functionally tested
• EAL2 - structurally tested
• EAL3 - methodically tested and checked
• EAL4 - methodically designed, tested and reviewed
• EAL5 - semiformally designed and tested
• EAL6 - semiformally verified design and tested
• EAL7 - formally verified design and tested
  

At this time, EAL4 is the highest level that can be transferred from one country to another. 

Protection Profile

A protection profile defines the technical functions required to be evaluated.  For example, the Controlled Accesss Protection Profile includes requirements for (among others):

• User authentication  (you have to login)
• Access control (Unix-style permissions)
• Auditing (know what has happend on the system)
• Prevention of object re-use (clear memory and disk before giving it to another user) 

There are a variety of protection profiles for product classes including OS, Database, Firewall, Encryption etc.  It is also possible to get a CC Evaluation without a protection profile although the usefulness of such a thing is debatable.

Other protection profiles that apply to Solaris include:

• RBAC Role Based Access Control
  
• LSPP - Labeled Security PP for multi-level data 

Who cares about Common Criteria.

The US Federal Goverment and Department of Defense have a variety of policies (FISMA and DoD Directive 8500.2) dictating that CC evaluated products should be use where they exist and are preferred over non-evaluated products.  As a result, nearly all purchases by the US government require that an OS be evaluated or at least in the evaluation process.  Sun has a long history of evaluated Solaris OS versions over the last 10 years.

As an engineer at Sun with many years of DoD customer experience, I'm frequently asked a number of questions about the interpretation of the CC requirements in the DoD (see the questions in the comments section):

Can I use a Solaris update that's different than the certified version?

Strickly speaking, any change that you make to the certified baseline (platform, version, patches) means you are running an "uncertified configuration."  This doesn't make you less secure.  Strict conformance to this policy would seriously prevent you from running the latest Solaris version or taking advantage of the latest hardware.

What is the US DoD policy on using later Solaris updates?

While I can't speak for the government, I can relate my direct conversations with officials at the Defense Information Systems Agency (DISA) who create and enforce these policies.  I have been told that a CC evaluation is a "Checkbox" activity that is NOT the most important item in a security accreditation.  The fact that a more recent update of Solaris has not been certified directly should not prevent you from using it.  However, if the update has a new security feature that has not been evaluated and you are planning to use that feature, it may be more difficult to get your system accredited.  DoD customers should work directly with DISA in this area.  There is a help desk available at the DISA Field Security Office

What about commercial customers?

Each customer has their own policy.  Some simply require that a product be "in evaluation."  Others require that some version of the product has been certified.  Work with your customer's security office to determine their policy.

What does DoD Directive 8500.2 say about CC?

Feel free to read it, however, to paraphrase section E3.2.5:  If there is a certified product, you must use it.  If there is no product that's certified, it should be "in evaluation."  If there is no product in evaluation, a commitment from the vendor to evaluate should be made before you buy.  If there is no defined protection profile for a product class (eg. VMware), the vendor should create a security target and have it evaluated.

If the process was not designed to actually detect software bugs or vulnerabilities in an OS, then what does it check?

This question emphasizes the current disappointment that DoD officials have with the process.  They are paying extra money for evaluated products but not necessarily getting better products because of the evaluation process.  The process is designed to ensure that a product behaves as documented but it is NOT a source code scrub for buffer overflows, coding errors or other issues (The fact that MS Windows products are evaluated at EAL4 should make this point painfully obvious!).

Does every product need to be CC  evaluated?

The DoD directive refers only to "IA products, and IA-enabled IT products."  They define IA-enabled product as "Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems."  By this definition a product like StarOffice is NOT IA-enabled, however, a web portal or identity management systems is IA-enabled in my opinion.  Some would say, "If it asks for a username and password, it's IA-enabled."

What is NIAP and who does the evaluations?

NIAP is the National Information Assurance Partnership between NIST and NSA.  They control the CC program in the U.S.  An evaluation is done by an independent commercial laboratory known as a commercial licensed evaluation facility or CLEF.  Sun's evaluation was done by a Canadian CLEF.

What's wrong with the current Common Criteria process?

Although the current process is somewhat better than the old NSA process, it still leaves something to be desired.  I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals.   Current problems include:

• It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
• The process is not designed to actually detect software bugs or vulnerabilities in an OS
• The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
• It is not flexible in handling OS updates and patches
  

What is the difference between a CC evaluation and a site accreditation?

Products are CC evaluated, sites and solutions are accredited.  For example, a particular site may take a number of CC evaluated products, install them on computers, connect to different classifications of network and put the whole solution in a particular building.  An accreditation ensures that all these steps were followed with security in mind and that the products, policies, people and procedures meet the security requirements of  the mission.  An accounting system has different requirements than a warfighting or intelligence gathering system and the accreditations will vary for each even if they use the same products.

Why should you  care?

CC evaluations provide an assurance that a product has been documented properly and behaves in accordance with its documentation.  It is an external, third party audit of a product that provides a higher level of assurance on the capabilities of the delivered product. Sun takes our responsibility for security very seriously and our goal is to ensure that Solaris is the preferred platform for Federal mission critical systems.

Sun has a long history of evaluated versions of Solaris including 2.5.1, 2.6, 8, 9, 10 and various Trusted Solaris versions.

CC evaluated products are preferred by most US Federal and DoD procurements.


 

Today I'd like to welcome Sun Federal to the internet!

Sun Microsystems Federal is a wholly owned subsidiary of Sun Microsystems targetting the special requirements of the US government.  Because the government is generally every computer vendor's largest customer, an organization with the skills and capabilities of SunFed is required to comply to the various laws and procurement restrictions.  For example, our employees are US citizens and we are required to keep customer data in the US.  We also have staff with the unique skills and experence to help respond to government RFP and GSA schedule requirements.

Scott McNealy is now the Chairman of the board for SunFed (in addition to being Chairman of SMI).  Bill Vass has moved from being Sun's CIO to a role as the COO of SunFed.  Anthony Robbins manages Federal Sales.

The majority of SunFed's roughly 500 personnel are located in the Washington D. C. area at offices in McLean, Reston and Ashburn VA as well as Columbia MD; however, we have a nationwide presence.  Many have security clearances required to work with Homeland Security, DoD and Intelligence agencies.  Sun Federal does about $1 billion in government business each year.

If you are interested in Sun's products and services, call 800-786-0404.  Our Government telesales team there can answer your questions, provide a GSA quote or connect you with your local Sun Sales team.

Why should you care?

Sun Federal can provide unique solutions for the US Government that include services, systems, storage and software.

Some of our government unique solutions include:

• Secure Network Access Platform
• Utility Computing
• STARS

Sun has been keeping secrets again, even from me!  It's always fun to learn new things that Sun is doing by finding press releases at Yahoo.

In this case, it's a general purpose data center in a box.  (Well, it's a big box, a standard shipping container, really) Called project Black Box, it's apparently been under development for a few years.  The details will be announced at 9 AM EDT. 

Why should you care?

If you have a need for fast portable computing power this could be just what you need.  It could be a military deployable compute capability our simply augment a retail company during the Christmas season.  I would anticipate a good demand for this kind of thing where I work in Sun Federal.

On May 23, Joshua Brindle posted a reply to an open letter written by one my colleagues, Darren Moffat . In that reply entitled  Trusted What? there were several statements made about Trusted Extensions that are apparently misunderstandings.  Glenn Faden is the architect of Solaris 10 Trusted Extension and has posted a rebuttal in his blog.

Why you should care....

If you are unclear about the differences between the security model of SE linux and Solaris 10 Trusted Extensions, Glenn's blog will help you to understand the level of effort that we put into our products to make them secure and  easy to use.